Posted
by
timothy
on Tuesday October 25, 2011 @12:33PM
from the hey-fellas-this-just-looks-bad dept.

Lauren Weinstein writes "Google is handling SSL search queries on https://www.google.com/ in a manner significantly different than the standard, expected SSL end-to-end behavior — specifically relating to referer query data. These changes give the potential appearance of favoring sites that buy ads from Google. Regardless of the actual intentions, I do not believe that this appearance is in the best interests of Google in the long run."

The gist: Google actively hides referer data when linking from the new SSL site, even if the site that is linked to is also an SSL site, except when the link is an ad.

Well, tough titties. It's Google's site, they can link to you any way they want. If they want to redirect the visitor in a way that hides the query from the linked-to site, that's their prerogative. They could simply make their whole search engine POST the query and you'd never see the search terms, not even with plain HTTP. What are you gonna do about it? Oh right, whine on your blog and have Slashdot link to it.

I turn off the referer header in all browsers and proxies I set up. With the exception of a few shady third-rate direct download web sites whose hotlinking protection trips over this, nobody requires it. One information leak less to worry about. Eat shit, SEO scum.

https move in itself is not bad... but the way it is implemented messes up statistics (you know that stuff came from google but no search keywords) and operation of some sites (display a page with the queried keyword to boost relevance). They say it affects less than 1% of the queries only logged on users).. but I think that is a low number.... who is not logged into gmail? maybe not everybody but I suspect figure is higher than 1%

Among others, they could in theory fix that with a redirect to an http site they own, then redirect to the final site.. I am sure there are other ways if they sit around long enough.

You know, I'd be a lot more concerned about this kind of thing if we weren't hearing Slashdot stories crying wolf practically every day. I'm just not impressed with people trying to call Google evil anymore; none of these so-called revelations have panned out so far, so how likely is this one to go any differently?

Yes, it is better for Google's users because they get to see referer data, probably even when they shouldn't.

Oh...you thought *you* were one of Google's users? Chances are you are product, not a customer or a user.

I know exactly who the 'product' and who the 'consumer' of Google is.

Its irrelevant to this. When traffic is HTTP or HTTPS for Google searches, Google gets that traffic either way. When the traffic is HTTPS though, that means LESS people are getting it (wireless sniffing, routers along the way, etc.) in an unencrypted format. I really could care less what information the sites I go to are missing from the search I entered that brought me to them.

Really? Why do you say that? SSL still takes a fair amount of CPU overhead. Compared to an HTTP connection, HTTPS is markedly slower (aggregated over thousands of connections). I've seen a couple sites that use HTTPS exclusively throw up transparent SSL accelerator appliances in front of their servers to allow them to only need a fraction of the number of hosts for actually hosting the data.

That's not the point at all. Frankly, this has only little to do with SSL.

The point is that if you pay for Google-ads, you will receive the referer-information, regardless of whether your site uses HTTPS or not, even when its breaks security for the user. If you don't pay you won't get the info.

I would love to pay for Google. I would rather pay, get zero ads (without ad blocking), and BE the customer. Let the company's interest align with pleasing me rather than USING me. Today, there is rarely an option to pay for services directly. So you're only choice is often a "free" service where your every movement is harvested for ad dollars.

This is why you disable third party cookies, and use ad block plus and noscript.

Users have to be proactive about security. Nearly every fucking site out there is actively working against good security practices even when they're not compromised by an attacker. The browsers are all in a race to reach stupid version numbers, pass some arbitrary and ridiculously convoluted css benchmark, and enable javascript bloat by endlessly tweaking the performance of the js engine.